The Zurich American Insurance Company says to Mondelez, a maker of consumer packaged goods, that the NotPetya ransomware attack was considered an act of cyber war and therefore not covered by their policy.According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” One would think that the language in the cyber insurance policy was specifically designed to be broad enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers.Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But then Zurich stated that it wouldn't pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is not responsible for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. This is what Zurich believes constitutes "cyber war."https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html

Reuters reports that hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients. According to investigators at cyber security firm Recorded Future, the attack was part of what Western countries said in December is a global hacking campaign by China’s Ministry of State Security to steal intellectual property and corporate secrets. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.

A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards.Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols.

This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.

According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks.The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.Current IMSI-catcher devices target vulnerabilities in this protocol to downgrade AKA to a weaker state that allows the device to intercept mobile phone traffic metadata and track the location of mobile phones. The AKA version designed for the 5G protocol --also known as 5G-AKA-- was specifically designed to thwart IMSI-catchers, featuring a stronger authentication negotiation systemBut the vulnerability discovered last year allows surveillance tech vendors to create new models of IMSI-catchers hardware that, instead of intercepting mobile traffic metadata, will use this new vulnerability to reveal details about a user's mobile activity. This could include the number of sent and received texts and calls, allowing IMSI-catcher operators to create distinct profiles for each smartphone holder. https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/

The Debian Project is recommending the upgrade of golang-1.8 packages after a vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in the “go get” command, which could result in the execution of arbitrary shell commands.https://www.debian.org/security/2019/dsa-4380

It is possible to trick user’s of the Evolution email application into trusting a phished mail via adding a forged UID to a OpenPGP key that has a previously trusted UID. It's because Evolution extrapolates the trust of one of OpenPGP key UIDs into the key itself. The attack is based on using the deficiency of Evolution UI when handling new identifiers on previously trusted keys to convince the user to trust a phishing attempt. More details about how the flaw works, along with examples are included in the article, which is linked in the show notes. Let’s take a minute to cover a bit of background on Trust Models and how validating identities work in OpenPGP and GnuPG:

The commonly used OpenPGP trust models are UID-oriented. That is, they are based on establishing validity of individual UIDs associated with a particular key rather than the key as a whole. For example, in the Web-of-Trust model individuals certify the validity of UIDs they explicitly verified.

Any new UID added to the key is appropriately initially untrusted. This is understandable since the key holder is capable of adding arbitrary UIDs to the key, and there is no guarantee that new UID will not actually be an attempt at forging somebody else's identity.OpenPGP signatures do not provide any connection between the signature and the UID of the sender. While technically the signature packet permits specifying UID, it is used only to facilitate finding the key, and is not guaranteed to be meaningful. Instead, only the signing key can be derived from the signature in cryptographically proven way.

GnuPG (as of version 2.2.12) does not provide any method of associating the apparent UID against the signature. In other words, from e-mail's From header. Instead, only the signature itself is passed to GnuPG and its apparent trust is extrapolated from validity of different UIDs on the key. Another way to say this is that the signature is considered to be made with a trusted key if at least one of the UIDs has been verified.https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html

If you’re up for some heavy reading about manipulation and deceit being perpetrated by cyber criminals, it may be worth checking out a piece from buzzfeednews. It tells a woeful and dark tale that does not have a happy ending. A small excerpt reads: “As the tools of online identity curation proliferate and grow more sophisticated, so do the avenues for deception. Everyone’s familiar with the little lies — a touch-up on Instagram or a stolen idea on Twitter. But what about the big ones? Whom could you defraud, trick, ruin, by presenting false information, or information falsely gained? An infinite number of individual claims to truth presents itself. How can you ever know, really know, that any piece of information you see on a screen is true? Some will find this disorienting, terrifying, paralyzing. Others will feel at home in it. Islam and Woody existed purely in this new world of lies and manufactured reality, where nothing is as it seems.”https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go

Security researchers were assaulted by a casino technology vendor Atrient after responsibly disclosed critical vulnerabilities to them. Following a serious vulnerability disclosure affecting casinos globally, an executive of one casino technology vendor Atrient has allegedly assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. The article covers the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed.https://www.secjuice.com/security-researcher-assaulted-ice-atrient/

Article 13, the new European Union copyright law is back and it got worse, not better. In the Franco-German deal, Article 13 would apply to all for-profit platforms. Upload filters must be installed by everyone except those services which fit all three of the following extremely narrow criteria:

Available to the public for less than 3 yearsAnnual turnover below €10 millionFewer than 5 million unique monthly visitorsCountless apps and sites that do not meet all these criteria would need to install upload filters, burdening their users and operators, even when copyright infringement is not at all currently a problem for them.https://juliareda.eu/2019/02/article-13-worse/

Researchers from Google Project Zero evaluated Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS. There are bypasses possible, but the conclusion says it is still a worthwhile exploitation mitigation technique.Among the most exciting security features introduced with ARMv8.3-A is Pointer Authentication, a feature where the upper bits of a pointer are used to store a Pointer Authentication Code (PAC), which is essentially a cryptographic signature on the pointer value and some additional context. Special instructions have been introduced to add an authentication code to a pointer and to verify an authenticated pointer's PAC and restore the original pointer value. This gives the system a way to make cryptographically strong guarantees about the likelihood that certain pointers have been tampered with by attackers, which offers the possibility of greatly improving application security.There’s a Qualcomm white paper which explains how ARMv8.3 Pointer Authentication was designed to provide some protection even against attackers with arbitrary memory read or arbitrary memory write capabilities. It's important to understand the limitations of the design under the attack model the author describes: a kernel attacker who already has read/write and is looking to execute arbitrary code by forging PACs on kernel pointers.

Looking at the specification, the author identifies three potential weaknesses in the design when protecting against kernel attackers with read/write access: reading the PAC keys from memory, signing kernel pointers in userspace, and signing A-key pointers using the B-key (or vice versa). The full article discusses each in turn.https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html

There is a dangerous, remote code execution flaw in the LibreOffice and OpenOffice software. While in the past there have been well documented instances where opening a document would result in the executing of malicious code in paid office suites. This time LibreOffice and Apache’s OpenOffice are the susceptible suites. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event.To exploit this vulnerability, the researcher created an ODT file with a white-colored hyperlink (so it can't be seen) that has an "onmouseover" event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink.According to the researcher, the python file, named "pydoc.py," that comes included with the LibreOffice's own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system's command line or console.https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html

Nadim Kobeissi is discontinuing his secure online chat Cryptocat. The service began in 2011 as an experiment in making secure messaging more accessible. In the eight ensuing years, Cryptocat served hundreds of thousands of users and developed a great story to tell. The former maintainer explains on the project’s website that other life events have come up and there’s no longer available time to maintain things. The coder says that Cryptocat users deserve a maintained secure messenger, recommends Wire.

The Cryptocat source code is still published on GitHub under the GPL version 3 license and has put the crypto.cat domain name up for sale, and thanks the users for the support during Cryptocat's lifetime.https://twitter.com/i/web/status/1092712064634753024

Malware For Humans explains a complex assault on democracies in plain language, from hacking computers to hacking the human mind, and highlights the hypocrisy of the structure of intelligence agencies, warfare contractors, and the media in doing so. Based on two years of extensive research on and offline, Malware For Humans brings the world of electoral interference into the light and shows that we are going to be vulnerable for the long term in a borderless, online frontier. A complete audio companion is available as a separate podcast, which can be found on iTunes and Spotify as part of The Fall series and is available for free, without advertisements.https://www.byline.com/column/67/article/2412

Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.

Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.

Additional supporting sources are also be included in our show notes

Why not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHL

More information about the podcast is available at SecurityEndeavors.com/SEHL

According to a Reuters investigation, United Arab Emirates used former U.S. intelligence operatives to hack into the iPhones of activists, diplomats and foreign politicians using so-called Karma spyware. It’s described as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said. In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the attackers harvest saved passwords, which could be used for other intrusions. According to the report, Karma relies, at least in part, on a flaw in Apple’s iMessage messaging system. The flaw allowed for the implantation of malware on the phone through iMessage which establishes a connection with the device even if the phone’s owner didn’t use the app.To initiate the compromise, Karma needed only to send the target a text message — no action was required on the part of the recipient. It isn’t clear whether the Karma spyware is still in use. The story says that by the end of 2017, security updates to the iPhone software had made Karma far less effective.https://www.reuters.com/investigates/special-report/usa-spying-karma/

Russia also has it's own Wikileaks. Called Distributed Denial of Secrets, the website aims to "bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web." Distributed Denial of Secrets, or DDoS, is a volunteer effort that launched last month. Its objective is to provide researchers and journalists with a central repository where they can find the terabytes of hacked and leaked documents that are appearing on the internet with growing regularity and is being considered a kind of academic library or a museum for leak scholars. DDoS differs from WikiLeaks in that it doesn’t solicit direct leaks of unpublished data—its focus is on compiling, organizing, and curating leaks that have already appeared somewhere in public. The DDoS project compiled more than 200,000 emails into a spreadsheet for ease of searching. In all, its cache now contains 61 different leaks totaling 175 gigabytes.https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked

The Japanese government will run penetration tests against all the IoT devices in the country in preparation for the Tokyo 2020 Summer Olympics. They want to map vulnerable devices and find out how to harden infrastructure. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

The Cyber Independent Testing Lab, or CITL, is a nonprofit organization that focuses on consumer cybersecurity. They published research back in December of 2018, demonstrating how 28 home wireless routers fail to use even basic security techniques. CITL presented an update to that research during Shmoocon 2019, showing identical or similar weaknesses in 1,000 home and commercial Wi-Fi routers, across 6,000 firmware versions and 18 vendors. This includes highly rated devices from brands such as Asus, Belkin, Buffalo, D-Link, Linksys, and Netgear. It’s no secret that many Wi-Fi routers are highly insecure. Security researchers, pointing at issues such as hard-coded default passwords and irregular security updates, have been issuing warnings for years. What might be alarming about CITL’s latest research is that despite the alarm bells, CITL finds that vendors are generally building Wi-Fi routers with fewer protections than they had in 2003. The organization’s acting director says the research will be published soon on the CITL site.https://the-parallax.com/2019/01/24/wi-fi-router-security-worse-citl-shmoocon/

A bug in the Samsung Galaxy Apps Store allowed an attacker to inject arbitrary code through the interception of periodic update requests made by the vendor’s App Store itself. Due to initiating checks for updates in the Samsung Galaxy Apps Store in the clear, meaning not over a secured connection, an attacker can manipulate network traffic via Man-In-The-Middle style, and can change the URL for load-balancing and modify the requests for the update mirrors with inauthentic, user controlled domains. This would allow an attacker to trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid digital certificate, and simulate the API of the app store to modify existing apps on a given device. An attacker could exploit this vulnerability to achieve Remote Code Execution on Samsung devices.https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/

Over 9,000 Cisco RV320/RV325 routers are currently being exploited in the wild after the network hardware manufacturer announced updates were available to patch newly published vulnerabilities. The release of the Proof of Concept exploit code triggered the scanning of devices by would-be attackers and professionals alike. Thousands of routers are exposed on the internet with a web-based management interface vulnerability that could allow an unauthenticated, remote attacker to either retrieve sensitive configuration information or perform remote command injections.https://securityaffairs.co/wordpress/80363/hacking/cisco-rv320-rv325-hack.html

If you can imagine a mathematical version of the Kumite featured in the the 80s movie BloodSport, then you might be cheering from the stands this week as the US National Institute of Standards and Technology (NIST) announced the second-round candidates for quantum resistant public-key encryption and key-establishment algorithms. After releasing a report on the status of quantum-resistant cryptography in April 2016, NIST followed up in December 2016 with a call to the public to submit post-quantum algorithms that potentially could resist a quantum computer’s onslaught. The agency spent one year collecting the submissions and another working with the larger cryptography community on a first round of review to focus on the most promising algorithms. Of the 69 submissions NIST received, these 26 algorithms made the cut.This second round will focus more heavily on evaluating the submissions’ performance across a wide variety of systems, Moody said, because so many different devices will need effective encryption.https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/bBxcfFFUsxEhttps://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals

A vulnerability in Apple’s FaceTime application allows the activation of the microphone of the device being called, allowing audio to be transmitted back to the person who initiated the session, all without ever having accepted a call. It’s also possible to trigger the camera to turn on as well. The issue has been replicated when calling from either from a mobile device or a Macintosh desktop. Apple has disabled the FaceTime conferencing servers before the fix is released. Word of the FaceTime bug has been spreading virally over social media. Apple says the issue will be addressed in a software update “later this week”.https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

Book Publisher NoStarch Press got an unwelcome surprise this week when it discovered a counterfeit version of one of their books on Amazon’s self-publishing platform, CreateSpace. Bill Pollack, the publisher’s founder, has taken to twitter to help raise awareness of the fraudulent item and is seeking assistance from Amazon to remedy the situation. Unfortunately this isn’t the first time printed fakes have made their way into the online merchant’s listings. The fake books are of noticeably lower quality, especially the screenshots. According to the current tweets, it took months to resolve things last time. Hopefully Bill Pollack and the NoStarch crew don’t have wait as long to see results this time. The best way to know what you’re getting the real deal is by just ordering direct from their website at NoStarch.com. That way you know what you’re getting and get a DRM free copy in eBook format, too.https://twitter.com/billpollock/status/1091840257073471488

If you’re a tenant in the US, it’s very likely that a management-provided smart home system is headed your way in the near future. It will be important to carefully evaluate your family’s personal threat model, and consider the plausible digital ways which these systems could be exploited. A well known infosec professional recently had occasion to dive much more deeply into the topic as their apartment’s property management company announced that all units would be “upgraded” from traditional lock & key to a smart locks. This raised more than a few questions and concerns in the researcher's mind and kicked off a significant amount of research and engagement with all parties involved. Several thought provoking suggestions come out of the article including:Spend some time reading into the vendor. Respectfully and courteously encourage your property management company and their smart system vendor to adopt industry best practices in securing smart hubs both physically and digitally, the networks they are connected to, and resident data at rest and in transit in their infrastructure. Request your property managers clearly and decisively address privacy concerns such as data ownership and resale in writing. If solid answers in writing don’t assuage legitimate concerns, consider politely seeking an option to opt-out – and make your threat model clear to them, if you’re in a sensitive situation. The author ends by saying, “These systems are the future – let’s do them right, for everybody.” Adapted from the article: Security Things to Consider When Your Apartment Goes Smart, posted on tisiphone.net.https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/

Have you ever been out and about with a Raspberry Pi and wanted to update the configuration on the SD card, but didn’t have the necessary monitor, keyboard or mouse handy? That’s the type of situation that resulted in the creation of PiBakery! The key feature of PiBakery is its ability to create a customised version of Raspbian that you write directly to your Raspberry Pi’s SD card. This works by creating a set of scripts that run when the Raspberry Pi has been powered on, meaning that your Pi can automatically perform setup tasks, and you don't need to configure anything.The scripts are created using a block based interface that is very similar to Scratch. If you've used Scratch before, you already know how to use PiBakery. Simply drag and drop the different tasks that you want your Raspberry Pi to perform, and they'll be turned into scripts and written to your SD card. As soon as the Pi boots up, the scripts will be run. If you've already made an SD card using PiBakery, you can insert that SD card back into your computer, and keep editing the blocks to add additional software, configure new WiFi networks, and alter different settings. All without having to find a monitor, keyboard and mouse. All the different blocks for PiBakery are stored on GitHub, which means that anyone who either has created software that they want to easily distribute to Raspberry Pis, or has a setup script they want to share with others, can turn this into an easy to use block, allowing others to use their software or script with ease.https://www.pibakery.org/index.html

If you’re a Windows user maybe you’ve been using the Snipping Tool over the years to make quick screenshots. Since February of 2018, Windows 10 users have had access to Snip & Sketch from the Microsoft app store. It’s a modern version of the solid tool dating back to Windows 7. It’s also available for the XBox One, so maybe someone could explain a few use cases over the built in screenshot options? Happy Documenting.https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l?activetab=pivot:overviewtab

Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.Additional supporting sources are also be included in our show notesWhy not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHLMore information about the podcast is available at SecurityEndeavors.com/SEHLThanks for listening and we'll see you next week!

Microsoft's mobile Edge browser on both iOS and Android begins issuing fake news warnings. Previously only available as a desktop plugin, it’s powered by news rating company NewsGuard. The feature can be toggled on via the app’s settings under "news rating." The description boasts that it's "evaluated news websites that account for 98% of online media engagements in the United States." Here's how it works: once enabled, it provides a rating icon in the address bar (red for unreliable and green for trusted). Tap it and you'll see a nutrition-styled label with more information. For instance, if a site is flagged as untrustworthy, it reads: "Proceed with caution: this website generally fails to maintain basic standards of accuracy and accountability." And, if you see a site sans label, you can submit it for review.https://www.engadget.com/2019/01/23/microsoft-edge-mobile-fake-news

A vulnerability in the Advanced Persistent Threat management tool… Just kidding. A researcher found a vulnerability in apt, or Advanced Package Tool, a popular package manager that allows a network based man-in-the-middle to execute arbitrary code as root on a machine installing any package. There’s also risk of a bad actor exploiting this issue by standing up a malicious package mirror. The bug has been fixed in the latest versions of apt. Worried about being exploited during the update process? Protect yourself by disabling HTTP redirects while you update. A link to more information and the author’s steps are in this week’s show notes.https://justi.cz/security/2019/01/22/apt-rce.html

The encryption mode in the well-known compression software 7-Zip uses poor randomness when generating AES or Advanced Encryption Standard initialization vectors (IV). The code uses a poor Random Number Generator (RNG) for AES initialization vector generation. What's more, the method seems to only use 8 bytes instead of the full 16, so that half of it is always zeros. This is a problem as the guarantee of AES-CBC security is based on having a 128-bit IV that is truly random, i.e. derived from a cryptographic Pseudo RNG. CBC refers to Cipher Block Chaining a cryptographic mode of operation invented in 1976. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block. Otherwise it resembles the method used in Electronic Codebook or ECB. Seen as the simplest of the encryption modes, ECB is named after conventional physical codebooks where the message is divided into blocks, and each block is encrypted separately. So lacking the proper 128-bit Initialization Vector may also decrease overall AES-CBC security since it might be easier to detect same block of plaintext in two separate ciphertexts. So maybe encrypt your packed files with another tool until this is corrected.https://sourceforge.net/p/sevenzip/bugs/2176/ with additional background adapted from https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)

A Researcher discovered that large ecommerce and government sites got hacked via the Adminer database tool. The root cause is a protocol flaw in the MySQL database. It’s described right in the official documentation, as it says:

The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)

Attempting to read in the tone of the author, “In theory”? An Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets.

The server has to know the full path of the file on the client for it to succeed. However, by first requesting information about the system’s environment, the server can learn a great deal about the folder structure on the client.

Several clients and libraries have built-in protection for this “feature”, or disable it by default (eg Golang, Python, PHP-PDO). But not all do, as the Adminer case demonstrates. And Adminer probably won’t be the last.https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/

A short blog post this week explores the reasons why so much software still isn’t secured after so many years. The author boils it down to explaining that, “the existence of insecure software has so far helped society far more than it has harmed it.

Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before.” The link to the posting is in the show notes, if you’re interested.https://danielmiessler.com/blog/the-reason-software-remains-insecure/

Trend Micro engineers found applications in the Google Play store that drop Anubis banking malware after the device’s motion sensors are activated to evade initial detection. The two apps were disguised as useful tools, simply named Currency Converter and BatterySaverMobi. Google has confirmed that both these apps are no longer on the Play Store.

The battery app logged more than 5,000 downloads before it was taken down, and boasted a score of 4.5 stars from 73 reviewers. However, a close look at the posted reviews show signs that they may not have been valid. These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities.

As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.

The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.

A software bug, reported via HackerOne platform, says that “Verifying a new email address on a Twitter account in the Android app causes the "Protect your Tweets" option to be unset, resulting in the user's tweets being made publicly visible.” This can lead to a user's private tweets being exposed to anyone until they realize the change to their privacy settings. An attacker would normally need to have direct access to the user's Twitter account to change the email. In this case a user could be tricked into changing their email if an attacker sent them a phishing email, instructing them to do so.https://hackerone.com/reports/472013

Are you interested in finding and exploiting bugs in Marvell Avastar Wi-Fi chips? This week’s show notes have a link to a great in-depth blog posting on the topic. The author seeks to answer a question that has yet to be answered for quite some time. The question? To what extent is the Marvell WiFi FullMAC System-on-a-Chip or SoC (not) secure? Since wireless devices based on this chip aren’t fully researched by the community yet, they may contain a tremendous volume of unaudited code. This code could result in severe security issues in swarming devices equipped with WLAN cards. The author clearly states that the article is based on the info presented during their presentation during ZeroNights 2018 and invites readers to have a look at the original slides. References to additional research on the subject of wireless SoC security is also linked. Worth a read if this is your rabbit hole.https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/

In case Hardware isn’t your thing, how about a Chrome extension designed For WordPress vulnerability scanning and information gathering? If that gets your attention, then maybe check out the WPintel github link on this week’s post over at securityendeavors/SEHL. https://github.com/Tuhinshubhra/WPintel

Seeking to amplify the work of another researcher, this Twitter post compares the work to their own NetNTLMv1 to SilverTicket work, but does so only using Kerberos, which has a much larger footprint. The research post is called “Wagging the Dog: Abusing Resource-based constrained Delegation to attack ActiveDirectory” and says it contains information on new attack techniques. After reviewing the information, the Microsoft Security Response Center (or MSRC) responded that “this is not an issue which will be addressed via a security update.”

While it’s unclear if that means something more involved would be needed to address the risks outlined in the posting, what’s clear is that this is a wild toboggan ride that plumbs the depths of Kerberos Delegation, and you will come out the other side either smarter or ready for an analgesic. https://twitter.com/NotMedic/status/1089699199891984384?s=20 &https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

A recent tweet seeks to share some notes on Resumes when looking to Get Into InfoSec. The author offers their view on just how far classes, home study, conference attendance, and practicing on sites like HackInTheBox can take you. The post lists some of the “nontrivial amount of knowledge” that can only be learned on the job. Beyond the list of included real-world experiences that contribute to growth and understanding of the work, the post goes on to share that at the end of the day, infosec is, “measuring risk from a technical perspective and remediating that risk the best and most compatible way, custom, for every customer, every time.” Best if you take a moment to read this for yourselves to get the full message.https://twitter.com/Viss/status/1089249931552993280?s=20

A researcher found a logic flaw where waiting on a two-factor login page could allow you to log in without having to the current password on many major websites. The idea, if I’m reading this right, is to start to login to a site and then pause at the two-factor entry page, where there’s a place to enter a one-time code. The attacker then trigger’s a password change request, that will cause all active login sessions to be terminated. After waiting 10 to 15 minutes, it was possible to enter a 2FA code and it was possible to log in, without knowing the actual password. Reporting on the initial Proof of Concept didn’t get very far, since the login session expired in 20 minutes, so the researcher pressed on, testing additional scenarios. Diligence paid off when the researcher discovered a repeatable method to bypass session expiration where the 2FA code was working even when the option was disabled. Once able to expand the attack scenario on one company’s platform, curiosity lead to discovering other companies suffered from the same vulnerability. Of possibly greater concern than discovering this kind of risk, is that more than one company responded to the reported bugs as “working as intended.

Are you a visual learner, but man pages just too painful to read through? Maybe take a look at the work of cartoonist who draws out common use cases for commands? It could be the easiest way to read through the flags for using curl that I’ve ever seen.https://twitter.com/b0rk/status/1088981000955355136?s=20

Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.

Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.

InfoSec Week 3, 2019 (Link to original Malgregator.com posting for this week)​A 35-year-old vulnerability has been discovered in the Secure Copy Program (or SCP) file transfer utility. Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and remote copy program (rcp), on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.

The page says the Tectia SSH’s scpg3 is not affected since it exclusively uses secure ftp (or sftp) protocol. The page goes on to suggest mitigations include switching to OpenSSH, switch to sftp if possible. There is a patch, but it doesn’t cover all use cases, PuTTY doesn’t have a fix yet, and users of WinSCP should upgrade to v5.14 or later.

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.

With federal employees currently furloughed, more than 80 Transport Layer Security (TLS) certificates used by .gov websites have so far expired without the ability to be replaced or updated. To compound the situation, some of these sites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.

Researchers have found a new kind of Windows malware that receives "encrypted" instructions by way of messaging app Telegram. What’s really interesting is that analysts from Forcepoint Labs were able to retroactively scrape and correlate all the messages issued by the malware operator because telegram messages have unique IDs and malware.

The researchers described their newly discovered malware, dubbed GoodSender, as a “fairly simple” Windows-based malware that’s about a year old, which uses Telegram as the method to listen and wait for commands. Once the malware infects its target, it creates a new administrator account and enables a remote desktop — and waits. As soon as the malware infects, it sends the username and randomly generated password to the attacker through Telegram.

It’s not the first time malware has used a commercial product to communicate commands; bad actors have been known to embed instructions in pictures posted to Twitter or in comments left on celebrity Instagram posts.

The theory must be that using an encrypted messenger makes it far harder to detect. Forcepoint published in its research on Thursday, that it only stumbled across the malware after it found a vulnerability in Telegram’s “notoriously bad encryption”.

The messages are encrypted using the app’s proprietary MTProto protocol, long slammed by cryptographers for leaking metadata and having flaws, and likened to “being stabbed in the eye with a fork.” Its bots, however, only use traditional TLS — or HTTPS — to communicate. The leaking metadata makes it easy to man-in-the-middle the connection and abuse not only the bots’ API to read bot-sent and received messages, but also allows the recovery of the full messaging history of the target bot, the researchers say.https://techcrunch.com/2019/01/17/decrypted-telegram-bot-windows-malware

In March of this year, researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge, which will include a Tesla Model 3 on-site as a target for the automotive category, with six different focal points for in-scope research. The first successful researcher can also drive off in their own brand new Model 3 after the competition ends. Definitely check out the the rules on their page for details.

Microsoft returns, leading the virtualization category for a successful Hyper-V Client guest-to-host escalation. VMware has VMware ESXi alongside VMware Workstation as a target as well as Oracle VirtualBox, rounding out the tools that Cloud Computing relies so heavily on.

Security researcher Troy Hunt has updated his Have I Been Pwned after finding 87GB of leaked passwords and email addresses on cloud storage provider, MEGA. The total number of unique password and email combinations now nears 773 million records. The raw dump, called collection #1 in his posting is a set of email addresses and passwords totalling well over two billion rows (2,692,818,238) which is a sizeable amount more than a 32-bit integer can even hold. It's made up of many different individual data breaches from literally thousands of different sources. Hunt himself says he found his own older, but accurate information. What cause him a “sense of dismay” was that the data contains "dehashed" passwords which have been cracked and converted back into plain text. There's a link to an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless. In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see. https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

There was a massive data breach at the Oklahoma Securities Commission exposing millions of documents containing decades worth of confidential case file intelligence both from the agency and from sensitive FBI investigation source materials. “By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” read a report summary released by California-based cybersecurity firm UpGuard.

The big data disclosure, involving major corporations like AT&T, Goldman Sachs and Lehman Brother released Wednesday suggests that its Data Breach Research team confirmed that a server for the Oklahoma department, tasked with keeping tabs on all financial securities business in the state, was “publicly accessible” on Nov. 30 of last year.The report found that in the three terabytes worth of vulnerable data at the fingertips of cyber pirates included spreadsheets “documenting the timeline for investigations by the FBI and people they interviewed” as well as training documents, emails and supporting files for Department of Securities investigations.https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-investigations-report-1293862

Attackers broke into an SEC database and made millions from insider information.Federal prosecutors unveiled charges in an international stock-trading scheme that involved breaking into the Securities and Exchange Commission’s EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website. The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. The attackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where it was either used or distributed. The incident, when it occurred, sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html

A malicious former employee installed a Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation. This story is a good read about discovering the kind of device you do not want to find inside your company’s network. The positive thing is how much help the community of Reddit offered to unravel the mysteries of what it was and what it was (supposedly) meant to be used for. Interesting stuff to be sure!https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html

Do you have experience with authentication? Can you tell the difference between AuthN and and AuthZ? That’s Authentication vs. Authorization, just in case. If you’ve been looking for a resource that describes the concept of authentication factors and how enrollment gets increasingly complex the more factors you add, a recent blog post by Apenwarr goes into what the factors are and explains the difference between multi-factor vs. multiple single-factors. Hint: multi-factor requires methods from different categories. The article also talks about the current state of enrollment processes and why U2F seems to make domain validation “like magic”. Happy reading! https://apenwarr.ca/log/20190114

Noise Protocol Framework Explorer, the tool created by Nadim Kobeissi, now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern. The author of the code invites people to try out the beta code at noiseexplorer.com. The blurb from the page says it’s possible to: Instantly generate full symbolic models in the applied pi calculus for any Noise Handshake Pattern that you enter. Using ProVerif, these models can be analyzed against passive and active attackers with malicious principals. The model's top-level process and sophisticated queries are specifically generated to be relevant to your Noise Handshake Pattern, including tests for strong vs. weak forward secrecy and resistance to key compromise impersonation. Noise Explorer also automatically generates a secure implementation of your chosen Noise Handshake Pattern design, written in Go.https://twitter.com/i/web/status/1085629955202011136

CERT Poland (CERT Polska) opens access to its malware database (MWDB).Analysis of current threats is one of the most common challenges facing almost any organization dealing with cybersecurity. From year to year, it also becomes a harder nut to crack, being undoubtedly influenced by the growing scale of activities undertaken by criminals and the degree of their advancement. In the face of this situation, efficient exchange of information between researchers is a key issue.

The MWDB system (also known as the “Malware Database”) is a repository for storing malware samples and information acquired during their analysis. The simplest example of this type of data can be the relation of a specific sample with a given malware family, or the addresses of the C&C servers used by it.

Each user, after logging into the system, can see samples of malicious software in reverse chronological order. Of course it only applies to samples available for particular person (uploaded or derived objects). Each object has the so-called tags that refer to the classification used by CERT Poland during analyzes (e.g. assignment to malware families, specific phishing campaigns, etc).https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/

​Police arrested a 20-year-old suspect in central Hesse connected to the December data breach of hundreds of politicians. https://www.thelocal.de/20190108/suspect-20-arrested-over-massive-german-politician-data-hack

Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald.https://lwn.net/Articles/776404/

Y2K 2.0?? The year-2038 apocalypse is now closer to the present than the year-2000 problem was when it made headlineshttps://lwn.net/Articles/776435/

Samsung Phone Users Perturbed to Find They Can't Delete Facebook.According to a Hacker News comment (2nd link), it should be possible to delete application via cable using ADB. I didn't try it.https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-a-shock-they-can-t-delete-facebookhttps://news.ycombinator.com/item?id=18864354

The Australian government issued a warning regarding WhatsApp hoax that is promoting installation of a ‘gold’ version of the application. Installation leads to a malware infection.https://cyber.gov.au/individual/news/whatsapp-gold-hoax/

After Motherboard's article about US carriers selling customers location data, senators call on FCC to investigate T-Mobile, AT&T, and Sprint.https://motherboard.vice.com/en_us/article/j5z74d/senators-harris-warner-wyden-fcc-investigate-att-sprint-tmobile-bounty-hunters

The story of how an I.T. consultant gave the F.B.I. the secret encryption keys in 2011 for a custom SIP based communication system came out during the Trial of Mexican drug lord Joaquín "El Chapo" Guzmán El Chapo also spyied on his wife and fiancées using Flexi-spy spyware which provider was subpoenaed by FBI.https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.htmlhttps://twitter.com/alanfeuer/status/1083033189956964353

Singapore's ministry of communications and information published "Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database".If you are into incident response, this report is a really great resource.https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20into%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf?la=en

Back in 2015, Facebook filed patent request describing how to track user relations using the dust on camera lens.https://gizmodo.com/facebook-knows-how-to-track-you-using-the-dust-on-your-1821030620

If your computer relies on BitLocker in TPM mode (boot without PIN), it is possible to extract cryptographic material data out of your computer and decrypt the hard drive.https://twitter.com/marcan42/status/1080869868889501696Additional information: https://www.forensicswiki.org/wiki/BitLocker_Disk_Encryption

InfoSec Week 1, 2019Let's Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019. They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.https://letsencrypt.org/2018/12/31/looking-forward-to-2019.html

I got my start in media recording 'news' for my school on Public Access. When looking for a project to contribute to, it identifying a space that doesn't seem to get good coverage seems a decent place to start. Information Security news gets tons of airplay, but haven't really found a podcast that offers a decent weekly roundup. Here's my take on one. That doesn't mean there aren't any out there. Maybe I've simply missed it/them. This should improve as the weeks go by. The goal is one episode a week, around 10 minutes or less in length. There's tons of information out there and I stumbled across Malgregator.com, who has kindly agreed to allow me to use the weekly round up they compile each week. Please take a moment to thank them. Theirs is the information I'll be pointing back to each week and will be the source for the show notes.